Cybersecurity provider, McAfee, has discovered a malicious campaign targeting organisations associated with the 2018 Winter Olympic Games in Pyeongchang, South Korea.
Delivered as a Microsoft Word document in an email, the fileless malware attack was aimed at firstname.lastname@example.org, while a number of other organisations, predominantly associated with the upcoming Olympics, were included in the BBC of the email.
This is not the first sign of the malicious campaign, with other related actions having been noted on the 22nd of December 2017 and on the 28th. In these previous instances the attackers had loaded the malicious document with a hypertext application (HTA) file before using an image to hide it.
In this most recent case, the attackers acted under the guise of counter terrorism operatives, coinciding with actual anti-terror drills relating to the event.
Analysis from a McAfee report on the document said: “The malicious document was submitted from South Korea to Virus Total on December 29 at 09:04, a day after the original email was sent to the target list. The email was sent from the IP address 18.104.22.168, in Singapore, on December 28 at 23:34. The attacker spoofed the message to appear to be from email@example.com, which is the National Counter-Terrorism Center (NCTC) in South Korea.”
Peter Carlisle, VP EMEA, Thales eSecurity, said: “Global gatherings such as the Olympics that see world leaders, businesses and governmental organisations converge on one location are a naturally attractive target for digital criminal activity. Notably, it is becoming increasingly likely that multiple attempts will be made to obtain sensitive information like passwords.”
South Korea has previously been the target of cyberattacks thought to have originated in North Korea, and the event being viewed globally as a test of the relationship between the countries.
“Based on our analysis of the email header, this message did not come from NCTC, rather from the attacker’s IP address in Singapore. The message was sent from a Postfix email server and originated from the hostname ospf1-apac-sg.stickyadstv.com. When the user opens the document, text in Korean tells the victim to enable content to allow the document to be opened in their version of Word,” McAfee said in the report.